Google 'powerless' to stop AdSense theft

Google's Adsense earnings are threatened by a trojan that replaces the search giant's paid-for adverts with its own, in order to hijack advertising revenue.

Google's AdSense earnings are threatened by a trojan that replaces the search giant's paid-for adverts with its own, in order to hijack advertising revenue.

Launched in 2005, Google AdSense allows third-party Web sites or publishers to generate revenue from Google's text advertisers.

AdSense acts as a middleman between an advertiser and a publisher. By crawling the content of publishers' Web pages, AdSense determines the relevance of a text ad to page content and then places the ad within the page if there is a match.

Trojan.Qhost.WU, discovered by security firm BitDefender, has been designed to replace ads served by Google on third-party Web sites that use Google's AdSense network. The ads are replaced with alternative ads called from hosts outside the AdSense network.

"The Trojan sits on the user's 'hosts' file -- located in the "%WINDIR%\System32\drivers\etc" directory -- to redirect the initial query ... to a malicious host," explained BitDefender.

Although it has not been established whether the ads served -- or the pages that the ads link to -- contain malicious software, BitDefender virus analyst Attila-Mihaly Balazs said it is "a very likely situation, given that they are promoted using malware in the first place".

Fears for consumers centre on the dramatic rise in the use of Web pages to inject malicious HTML code through browsers. Security firm Sophos earlier this year highlighted that as many as 30,000 new Web pages each day were being used to spread malicious software.

Want to know more?

    For all the latest news, analysis and opinion on security, click here

However the biggest victim in this case may be Google itself, as it makes the majority of its money from advertising. According to Nishad Herath, senior researcher at McAfee's AvertLabs, Google is powerless to stop the trojan stealing Google's space on third-party sites.

"There's nothing a search vendor can do to protect against the problem since it works by locally modifying content that's being displayed on the browser. There's absolutely nothing that Google or any ad vendor can do about that," said Herath.

Publishers on Google's AdSense network may also lose revenue if the trojan becomes widespread.

"[The trojan] takes away viewers and thus a possible money source from their Web sites," said BitDefender's Balazs.

Meanwhile Google has an entirely different battle on its hands as it attempts to maintain the integrity of its AdSense network. By making it easy for businesses to buy ad space on its network, Google has faced the problem of malicious advertisers exploiting the network to deliver malware to users.

"Google's business model is to make it easy for advertisers to place ads on Google's network of publisher sites that produce relevant content. What's happened is that some advertisers include malicious content as part of the advertisement or they host malware on the links that people go to when they click on a link," said McAfee's Herath.

"Ad vendors have been cracking down on these sites as they find out about them. It's a big problem because you have to go through all the links to find out whether they contain malicious content or not," he added.

Google yesterday said its policy is to remove sites that redirect users to malicious pages, but this approach will not prevent the trojan from damaging its revenue since it sits on the user's PC and causes the browser to bypass the AdSense network completely.

"While you would expect the ad vendors to sort of deal with the quality of people who they allow to advertise using their networkings, things like this trojan are a client-side issue," said Herath.